Closed
Description
ref https://oauth.net/2/client-types/
This oauth2 server implementation is not allowing to store nor treats confidential clients differently from public.
This is a problem, and is also the reason why its not possible to make public only clients that only can use auth flow code grant with PKCE, without fixing it like i did in #230. Which basically circumvents this by allowing to set a secret on a client, and at the same time allowing secret-less auth code flow. Without my suggested fix, if you set secret to blank or nil value, you will be able to request a token from the token endpoint with client_credentials grant, without even passing in the secret, which is horrendous
Metadata
Metadata
Assignees
Labels
No labels